8/9/2019 Internet of Things Security Study
http://slidepdf.com/reader/full/internet-of-things-security-study 1/4
Report
Internet of Things
Security Study:
Home Security Systems Report
The Internet of Things (IoT) will undoubtedly continue to make
headlines in 2015, with the issue of security becoming more
prevalent. As a follow-up to the 2014 HP Internet of Things Research
Study that reviewed the security of the top 10 most common IoT
devices, we now explore the security of some of the most popular
connected home security systems. There is no question as to the
safety and convenience that their remote monitoring capabilities
deliver, but do these smart security devices actually make our homes
safer or put them at more risk by providing easier electronic access
via an (insecure) IoT device?
Overview
Connected home security systems offer a myriad of features including
door and window sensors, motion detectors, video cameras and
recording mechanisms – all connected via the cloud to a mobile device
or the web.
In our ongoing research, we continued to see signifi nt deficiencies in
the areas of authentication and authorization along with insecure
cloud and mobile interfaces. It is of particular concern to see these
deficiencies in systems where the primary function is security.
While we discovered a significant increase in the use of transport
encryption such as SSL/TLS, we also identified issues with the
configuration and implementation that could weaken the data
security normally provided by such encryption mechanisms.
Report Findings
HP reviewed ten of the newest home security systems revealing an alarmingly
high number of authentication and authorization issues along with concerns
regarding mobile and cloud-based web interfaces.
The intent of these systems is to provide security and remote monitoring to a
home owner, but given the vulnerabilities we discovered, the owner of the
home security system may not be the only one monitoring the home.
Gartner, Inc. forecasts that 4.9 billiconnected things will be in use
2015, up 30 percent from 2014, awill reach 25 billion by 20
Gartner, Press Release, “Gartner Says 4.9 Billion Conne"Things" Will Be in Use in 2015” Novem
2014,http://www.gartner.com/newsroom/id/2905
8/9/2019 Internet of Things Security Study
http://slidepdf.com/reader/full/internet-of-things-security-study 2/4
Report | Internet of Things Security Study
Insufficient Authentication/AuthorizationAn attacker can use vulnerabilities such as weak passwords, insecure passwordrecovery mechanisms, poorly protected credentials, etc. to gain access to a system.All systems that included their cloud-based web interfaces and mobile interfacesfailed to require passwords of sufficient complexity and length with most onlyrequiring a six character alphanumeric password. Most systems also lacked the abilityto lock out accounts after a certain number of failed attempts. These issues can alllead to Account Harvesting allowing an attacker to guess login credentials and gainaccess to the system. A single system offered two-factor authentication and only oneimplemented Apple’s Touch ID for authentication to the mobile application interface.
Furthermore, many of these systems included the ability to add users to the system.Whether these users are known persons (e.g. neighbors or family members), theaddition of accounts using weak passwords with access to video cameras for example
only raises the risk of an attacker identifying an account to use for access to thesystem.
OWASP Internet of Things Top 10 – I2 Insufficient Authentication/Authorization
100% allowed the use of weak passwords
100% lacked an account lockout mechanism
that would prevent automation attacks
100% were vulnerable to account harvesting,
allowing attackers to guess login credentials
and gain access
Four of seven systems that had cameras, gave
the owner the ability to grant video access to
additional users, further exacerbating account
harvesting issues.
Two of the systems allowed video to be
streamed locally without authentication
A single system offered two-factor
authentication
8/9/2019 Internet of Things Security Study
http://slidepdf.com/reader/full/internet-of-things-security-study 3/4
Report | Internet of Things Security Study
Lack of Transport Encryption
Transport encryption is critical for all communications that travel across the internet
in order to protect sensitive data such as credentials, personal information, device
security settings and private video to name a few. The importance of properly
configured transport encryption is especially important since security is a primary
function of these home security systems. While all systems implemented transportencryption using SSL/TLS, we discovered that many of the cloud connections are
vulnerable to the POODLE attack and even allowed the use of SSL v2.
OWASP Internet of Things Top 10 – I4 Lack of Transport Encryption
Insecure Cloud Interface
Seven of the ten systems made use of cloud-based web interfaces and it wasdiscovered that all cloud-based web interfaces exhibited account enumerationconcerns. Valid user accounts can be identified through feedback received fromreset password mechanisms, credential input and sign up pages.
OWASP Internet of Things Top 10 – I6 Insecure Cloud Interface
Insecure Mobile Interface
Five of the ten systems tested exhibited account enumeration concerns with theirmobile application interface. Valid user accounts can be identified throughfeedback received from reset password mechanisms and credential input.
OWASP Internet of Things Top 10 – I7 Insecure Mobile Interface
Insecure Software/Firmware
Several systems had concerns with protection of firmware updates including
transmitting updates without encryption and without encrypting the update files. In
one instance, firmware was retrieved via FTP allowing the capture of credentials
that would give an attacker write-access to the update server. We did not find
obvious update capabilities in six out of ten systems and none offered any kind of
“automated” update functionality which the user could trigger by means of an
update button.
Three of ten systems allowed the user to decide whether to accept or decline the
latest firmware update when an update became available. None of the systems we
tested indicated both the latest firmware date and version.
OWASP Internet of Things Top 10 – I9 Insecure Software/Firmware
Privacy Concerns
All systems collected some form of personal information such as name, address,date of birth, phone number and even credit card numbers. Exposure of thispersonal information is of concern given the account enumeration issues and use ofweak passwords across all systems.It is also worth noting that the use of video is a key feature of many systems withviewing available via mobile applications and cloud-based web interfaces. Thesesystems carry a concern with data privacy as well as the privacy of video imagesfrom inside the home due to the use of video cameras.
OWASP Internet of Things Top 10 – I5 Privacy Concerns
50% exhibited improperly configured or
poorly implemented SSL/TLS
70% allowed unrestricted account
enumeration through their cloud –based web
interface
50% allowed unrestricted account
enumeration through their mobile application
interface
.
60% indicated no obvious update capabilities
and none offered any kind of automatic
update functionality
70% made video streaming available through
their cloud-based web interface or mobile
application interface
8/9/2019 Internet of Things Security Study
http://slidepdf.com/reader/full/internet-of-things-security-study 4/4
Report | Internet of Things Security Study
Conclusion
The Internet of Things continues to impress with both its promise and its offeringsas we enter 2015. Products, services, and ecosystems around Internet of Thingswill increasingly offer a wide range of benefits that will entice both consumers andbusinesses.
This research does not aim to dampen that enthusiasm, but rather to inform usersthat these capabilities come with risks, and that it’s in everyone’s best interest tounderstand those risks before activating these systems.
Recommendations
HP has the following recommendations for those looking to implement Internet ofThings devices in a more secure manner:
Consumer
• Include security in the feature considerations when evaluating
potential Internet of Things product purchases.
•
Avoid using system defaults for usernames and passwords wheneverpossible, and choose good passwords when the option is available.
Enterprise
• Implement segmentation between Internet of Things devices and therest of the network using a firewall or other filtering technology.
• Configure supplemental security features (that may not be enabled bydefault). Examples might include password strength policies, accountlockouts, logging and two-factor authentication.
Methodology
HP Fortify on Demand used standard techniques to test the Internet of Things
systems which combined manual testing along with the use of automated tools.Devices and their components were assessed based on the OWASP Internet of
Things Top 10 and the specific vulnerabilities associated with each top 10 category.
The resulting data and percentages in this report were drawn from the 10 IoT
systems tested. While there are many more IoT devices currently on the market, we
believe the similarity in results of the 10 devices provides a good indicator of where
the market currently stands as it relates to security and the Internet of Things.
Learn more at
hp.com/go/fortifyondemand
Top Related